Add a patch to zeroize kcapi-hasher for FIPS 140-3
Resolves: RHEL-15290 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich
parent
0bb5dedc42
commit
079fd9aefc
|
|
@ -0,0 +1,58 @@
|
|||
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
|
||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Date: Wed, 1 Nov 2023 10:54:03 +0100
|
||||
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Requirement introduced by AS05.10:
|
||||
"The temporary value(s) generated during the integrity test of the
|
||||
module’s software or firmware shall [05.10] be zeroised from the module
|
||||
upon completion of the integrity test;"
|
||||
|
||||
As some modules use fipscheck or sha*hmac for integrity tests, these
|
||||
temporary values need to be zeroised from the hasher.
|
||||
|
||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||
---
|
||||
apps/kcapi-hasher.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 098b655..f5caf77 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||
if (hashlen > (uint32_t)ret) {
|
||||
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
|
||||
(unsigned long)hashlen, ret);
|
||||
+ kcapi_memset_secure(md, 0, sizeof(md));
|
||||
return (int)ret;
|
||||
}
|
||||
|
||||
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||
ret = 1;
|
||||
else
|
||||
ret = 0;
|
||||
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
|
||||
} else {
|
||||
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
|
||||
bin2print(md, hashlen, NULL, stdout,
|
||||
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
|
||||
filename ? filename : "stdin", ret);
|
||||
}
|
||||
+ kcapi_memset_secure(md, 0, sizeof(md));
|
||||
return (int)ret;
|
||||
}
|
||||
|
||||
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
|
||||
if (file)
|
||||
fclose(file);
|
||||
kcapi_md_destroy(handle);
|
||||
+ kcapi_memset_secure(buf, 0, sizeof(buf));
|
||||
|
||||
/*
|
||||
* If we found no lines to check, return an error.
|
||||
|
|
@ -136,6 +136,7 @@ Source3: fipshmac-openssl.sh
|
|||
|
||||
Patch1: 001-tests-kernel-version.patch
|
||||
Patch2: 002-fips-disable-ansi_cprng.patch
|
||||
Patch3: 003-zeroize-hasher.patch
|
||||
|
||||
BuildRequires: bash
|
||||
BuildRequires: coreutils
|
||||
|
|
@ -519,6 +520,8 @@ popd
|
|||
Resolves: RHEL-5366
|
||||
- Add a patch to fix auxiliary tests in FIPS mode
|
||||
Resolves: RHEL-2406
|
||||
- Add a patch to zeroize kcapi-hasher for FIPS 140-3
|
||||
Resolves: RHEL-15290
|
||||
|
||||
* Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
|
||||
- Fix double free issue in hasher()
|
||||
|
|
|
|||
Loading…
Reference in New Issue